5.2.4.6 Ensure audit configuration files are owned by root

Information

Audit configuration files control auditd and what events are audited.

Access to the audit configuration files could allow unauthorized personnel to prevent the auditing of critical events.

Misconfigured audit configuration files may prevent the auditing of critical events or impact the system's performance by overwhelming the audit log. Misconfiguration of the audit configuration files may also make it more difficult to establish and investigate events relating to an incident.

Solution

Run the following command to change ownership to root user:

# find /etc/audit/ -type f ( -name '*.conf' -o -name '*.rules' ) ! -user root -exec chown root {} +

See Also

https://workbench.cisecurity.org/benchmarks/15286

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 55ea7e7a224d98cf795acb25199c7da0963caf6d2fc6232c21ed6e8655dc3dc4